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1. 


did; 


1.2. 


1.3. 


Introduction 


Heathrow Airport Ltd. (Heathrow) provide airport services to airlines flying passengers around the globe. 


To increase the speed, efficiency and security of passengers’ journeys through, and reduce congestion in, the Airport’s 
terminals, Heathrow are in the process of automating part of the passengers’ journey through the Airport by providing Self 
Service Bag Drop (SSBD) units and Self Boarding Gates (SBG). In addition to these, Heathrow are also progressing with an 
initiative that involves providing passengers with the capability to assert their identity (i.e. “I am who I say I am”) without 
the need for an airline agent to check their identity document. This process would use Facial Recognition Technology (FRT) 
to verify the passengers’ identity from an ID source (document such as passport or an ID service). This project is referred to 
in this document as the Automated Passenger Journey (APJ). 


During Heathrow’s engagement with the Sandbox, we aimed to achieve the following four objectives: 


e Objective 1: Explore and clarify the relationships between the different entities (Airport, Airlines, Technology 
provider) involved in the processing of biometric personal data for APJ to establish who is a data controller, joint data 
controller and/or data processor. 


e Objective 2: Review and confirm the applicable GDPR/DPA18 provisions that relate to the capture and management 
of biometric data to uniquely identify an individual, and identify the processes that would be suitable to meet these 
requirements for data subjects whom Heathrow does not currently have a direct relationship with. 


e Objective 3: Utilise insights from the analysis outlined in objective two to design an appropriate, compliant method 
for providing data subjects with sufficient transparency information so that passengers are able to make an informed 
choice and give valid explicit consent for the processing of their biometric information as part of the APJ. This method 
must also meet Heathrow’s operational requirements. 


e Objective 4: Assess the proposed method for obtaining explicit consent in a live environment and obtain feedback 
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from data subjects to establish their understanding and experience of providing explicit consent and utilising the APJ 
service. Feedback from test data subjects should be used to further develop Heathrow’s processes where appropriate. 


1.4. Heathrow were accepted into the Sandbox on 01 July 2019 and a Senior Case Officer appointed. The Senior Case Officer 
attended the offices of Heathrow on 31 July 2019 to conduct a scoping visit to aid the drafting of Heathrow’s Sandbox 
Participation Plan. 


1.5. The content of the Sandbox Plan was agreed by Tom Stapleton, the then Data Protection Officer for Heathrow Airport, on 12 
September 2019 and approved by the ICO Sandbox commissioning and advisory group on 30 September 2019. 


1.6. On 11 March 2020 Heathrow and the ICO agreed that Heathrow’s Sandbox participation should come to an endt. Heathrow 
will use the steers provided to them during their time in the Sandbox, in conjunction with Airline and Technology providers 
to design a suitable GDPR compliant process for automating passenger journeys in the airport. 


1 Further information on Heathrow’s exit from the Sandbox is available in paragraph 4.14. 
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2, 


21. 


2.2. 


2.3. 


Executive summary 


Heathrow’s Sandbox plan covered their APJ project’s use of biometric FRT capability at various touchpoints in the departing 
passenger journey, such as Automated Bag Drops and Self Boarding Gates. At the stage the APJ project was at whilst in the 
Sandbox, this involved automating passenger identity by matching an ‘on the day image’ taken of the passenger at a 
touchpoint to the image recorded in their passport. Biometric matching will then be used at subsequent touchpoints to prove 
it is still the same passenger without the requirement to provide documentation again, thus expediting the passenger’s 
journey through the Airport. 


Heathrow also wanted to explore the possibility of allowing Airlines flying passengers to the USA to verify passengers’ 
identities against the US Custom and Border Protection’s (CBP’s) Traveller Verification Service (TVS). This would use the 
confirmation of ID of that passenger from any previous US visit, and would confirm that the passenger matched the 
information they had provided to the airline. This processing will involve matching the ‘on the day image’ collected as part of 
the processing activity detailed above, against the TVS database, thus confirming the passenger's identity and that the 
Advanced Passenger Information (API) provided by the passenger is correct. 


During Heathrow’s participation in the Sandbox we have considered the following key data protection issues: 


e Complex data controllership issues (i.e. which party should be considered a controller, joint controller or processor 
with regard to the processing activity?) - ICO reached the view that in the context of APJ processing as considered 
within the Sandbox project Heathrow would likely be considered a joint controller with each of their partner airlines. 
This is because Heathrow have a business interest in the introduction of the APJ, appear to be the party determining 
the Article 6 basis and Article 9 condition for processing the data; and appear to be determining the means through 
which the processing activity takes place. In the context of TVS processing however, the ICO thought it likely that 
Heathrow would be considered a processor on the behalf of each of their partner airlines, as Heathrow appear to be 
providing a service to, and acting on the instructions of, their partner Airlines (assumed to be the controllers in this 
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scenario)”. 


Extending existing legal obligations for APJ processing - ICO formed the view that Heathrow were unlikely to be 
able to rely on a 2009 amendment to the Immigration Act 1971 for the purposes of relying on the compliance with a 
legal obligation as a lawful basis under Article 6 of the GDPR, in order to process all passengers’ biometric data for APJ 
purposes. This is because APJ processing as defined in the Sandbox project appears to go beyond the limits of the 
biometric processing specifically mandated by the amendment. It was suggested that consent and explicit consent 
may therefore be the most appropriate lawful basis and condition for processing respectively, for Heathrow to utilise 
when processing biometric data associated with the APJ. 


How could/should Heathrow collect explicit consent? In order to ensure that Heathrow provide the best service 
possible for their passengers, Heathrow wanted to explore the limit/extent of what could be considered to be a 
recordable, unambiguous indication of a passenger’s explicit consent to processing of their biometric data. Heathrow 
outlined two methods for gathering explicit consent from passengers, the first method involved using consent 
statements. The second method, Heathrow’s preferred approach, was based on layered communications and an 
affirmative action being completed by the passenger as a means of showing an express statement of explicit consent. 
The ICO reviewed a description of Heathrow’s approaches and provided guidance to Heathrow on the data protection 
implications of these methods. Based on the position articulated by the ICO it was jointly agreed that the proposed 
mechanism for obtaining explicit consent through the use of layered affirmative actions would not be compliant and 
therefore a more detailed plan concerning this approach was not pursued. 


Can the TVS database be used for undertaking ID verifications? Based on the information provided by 
Heathrow about the proposed processing activity, the ICO formed the view that in principle, it was likely that Heathrow 
could legally undertake this processing as a processor - however Heathrow, in conjunction with their partner Airlines, 


2 Please note the roles of other parties involved in this processing, such as US CBP was not considered in the scope of Heathrow’s Sandbox 


participation. 
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would have to give careful consideration on a case by case basis, to the following: 


O 


Working together to determine who, in practice, for the purpose of TVS processing, should be considered a 
controller/processor and confirming this contractually. 


Determining each parties’ respective obligations under GDPR. 


How all the parties involved in the transfer will comply with Article 44 of the GDPR in relation to transfers of 
the passenger personal data to the CBP in the United States. 


Whether or not the transfer of digital images involved in this processing would trigger Article 9 of the GDPR, 
as the end purpose of the transfer involved biometric processing for the purposes of uniquely identifying the 
individual data subjects. 


Which GDPR Article 6 basis (and Article 9 condition if required) for processing is the most appropriate to rely 
on when processing personal data associated with the TVS. The ICO advised that they believe the controller 
may be able to make a robust argument for relying on 6,1(F), ‘legitimate interests’ of the data controller, 
provided that they undertake a suitable Legitimate Interest Assessment (LIA) to justify the processing. 


The ICO also advised that, provided that the passengers had a sufficient opt out opportunity while they were 
still in the UK, consent gathered by Heathrow on the behalf of the Airlines for purposes of ensuring that the 
international transfer of personal data to CBP in the United States was compliant with Article 44 of the GDPR, 
would likely be considered valid - in particular, this would enable the parties to be able to rely on the explicit 
consent derogation set out under Article 49(1)(a) of the GDPR. 
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3. Product/service description 


Bids 


3.2. 


3:3; 


Heathrow’s APJ project as considered in the Sandbox involves leveraging biometric FRT capability at various touchpoints in 
the departing passenger journey, such as Automated Bag Drops and Self Boarding Gates. Automating the passenger ID will 
involve matching an ‘on the day image’ taken of the passenger at the Automated Bag Drop to the image recorded on their 
passport’s chip, in order to verify the passenger’s identity. Biometric matching will then be used at subsequent touchpoints 
to prove it is still the same passenger without the requirement to provide documentation again (i.e. by matching subsequent 
scans of the passenger’s facial biometrics to those extracted from the first ‘on the day image’), thus expediting the 
passenger's journey through the Airport3. 


Confirming the authenticity of the passengers’ identification document takes place at numerous touchpoints. This 
authentication validates the Advanced Passenger Information (API) data provided by passengers to their Airlines and 
supports Authorisation And Accounting (AAA or Triple A) checks which Airports/Airlines need to carry out. Currently these 
identity verifications are completed manually by Airline staff located in the terminal, who verify the passenger’s identity 
before they are allowed access to an Automated Bag Drop station, meaning that queues often form and Automated Bag 
Drops are underutilised. 


Heathrow’s proposed APJ processing would automate this ID process by enabling biometric scanners on the Automated Bag 
Drops to undertake ID confirmation and at Self Boarding Gates to undertake biometric verification. The Automated Bag Drop 
scanner would biometrically enrol data subjects into the APJ by collecting their explicit consent and an ‘on the day’ image of 
the passenger/Data Subject. A template of the Data Subject’s face would then be created and matched against another 
template created from the Data Subject’s passport image. If the template images match, this will be deemed to confirm the 
Data Subject’s identity. At Self Boarding Gates the biometric scanner would capture another image of the Data Subject and 


3 In future Heathrow may make use of an ID service with the objective of proving that passenger’s ID, but this issue was not directly addressed 
in the Sandbox. 
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3.4. 


Chor 


match the extracted template against the template created at the Automated Bag Drop. This would mean that 
passengers/Data Subjects (subject to agreed Airline processes) would not need to present their passport again at boarding 
gates, and the AAA checks are therefore fulfilled. 


In addition, Heathrow also wanted to explore enabling additional functionality to the APJ which would allow Airlines flying 
passengers to the USA to verify passengers’ identities against the US Customs and Border Protection’s (CBP’s) Traveller 
Verification Service (TVS). This processing would involve using data provided by the passenger from a previous US visit in 
order to provide assurance that the passenger matched the information they had already provided to the airline. It is 
understood that this processing would involve matching the ‘on the day image’ collected as part of the processing activity 
detailed above, against the TVS database, thus confirming the passenger’s identity and that the Advanced Passenger 
Information (API) provided by the passenger is correct. This is referred to henceforth in this document as TVS processing. It 
is understood that this processing would involve: 


e Transferring the ‘on the day image’ collected as part of the APJ process directly to the CBP’s TVS in the USA. 


e TVS would then extract a biometric template from the ‘on the day image’ and match this image against a gallery of 
images of individuals who have already entered the USA previously (the TVS Gallery). 


It is understood that if a data subject’s image is then confirmed against the TVS database then, as this match has been 
made as a result of API information provided by the passenger, this provides a verification of the passenger’s identity. In 
circumstances where an ID match by the TVS is not received, then a passenger’s ID will be verified by either an automated 
or manual passport check. 
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4. 


4.2. 


Key data protection considerations 


During Heathrow’s participation in the Sandbox we considered the following key data protection issues: 


Complex data controllership issues surrounding APJ processing (i.e. which party should be considered a data 
controller, joint data controller or data processors with regard to the processing activity?) 


Could Heathrow’s existing legal obligation to verify domestic passengers’ identities through the means of biometric 
data be used as sufficient grounds to justify processing all passengers’ biometric data for APJ purposes? 


When and how should Heathrow look to collect consent/explicit consent from passengers? 


Whether or not Heathrow could undertake TVS processing within the legal framework of the GDPR. 


In order to address the above key issues the ICO and Heathrow agreed the following four objectives which were 
documented on Heathrow’s Sandbox plan: 


Objective 1: Explore and clarify the relationships between the different entities (Airport, Airlines, Technology 
provider) involved in the processing of biometric personal data for APJ to establish who is a controller and/or 
processor. 


Objective 2: Review and confirm the applicable GDPR/DPA18 provisions that relate to the capture and management 
of biometric data to uniquely identify an individual and identify the processes that would be suitable to meet this 
requirement for data subjects whom Heathrow does not currently have a direct relationship with. 


Objective 3: Utilise insights from the analysis outlined in objective two to design an appropriate, compliant method 
for providing data subjects with sufficient transparency information so that passengers are able to make an informed 
choice and give valid explicit consent for the processing of their biometric information as part of the APJ. This method 
must also meet Heathrow’s operational requirements. 
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e Objective 4: Assess the proposed method for obtaining explicit consent in a live environment and obtain feedback 
from data subjects to establish their understanding and experience of providing explicit consent and utilising the APJ 
service. Feedback from test data subjects should be used to further develop Heathrow’s processes where appropriate. 


Complex data controllership issues 


4.3. To achieve Heathrow’s first objective the Senior Case Officer gathered information from Heathrow, including a data flow map 
for the APJ project, and analysed it to determine which parties should be considered a controller, joint controller or 
processor with regard to the processing activity associated with the APJ. The prospective contractual allocation of the roles 
of controller, joint controller and processor ultimately rests with Heathrow and the other parties involved in the APJ and TVS 
processing activities. However, based on the ICO’s conversations with, and information provided by Heathrow, it appeared 
that Heathrow airport would likely be considered as a joint controller with each of their partner Airlines for the processing of 
personal data associated with the APJ. This is because Heathrow appear to: 


e Jointly, with their Airline partners, be making the decision to introduce facial recognition technology (FRT) based 
identity verification in the terminal. 


e Determine the means and manner through which FRT based identity verifications take place in the terminal. 
e Have their own business interest in introducing FRT identification in the Airport (i.e. enable improved asset utilisation). 


e Bethe party determining which GDPR Article 6 basis and Article 9 condition for processing will be used to process 
biometric data through the APJ. It was however noted that the legal obligation to verify passenger identities associated 
with APJ processing rests with Heathrow’s airline clients. 


4.4. This steer was issued to Heathrow on 7 February 2020. 
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4.5. While considering this question the ICO also considered which party (or parties) could be considered a controller and/or 
processor in respect of TVS processing. Based upon the ICO’s conversations with and the information provided by Heathrow 
it appeared that Heathrow would likely be considered a processor on the behalf of each of their partner airlines for TVS 
processing. This is because Heathrow appears to, in the context of TVS processing, be providing a service to, and acting on 
the instructions of, their partner airlines (who are assumed to be the controllers in this scenario). 


Outstanding risks and actions: 


4.6. If Heathrow wish to continue with TVS processing they should liaise with the other parties involved in APJ and TVS 
processing to ensure all parties are clear on their roles as follows: 


e joint controllers in the context of each relationship between Heathrow and a partner airline for APJ processing; and 
e Heathrow as a processor, and an airline as a controller for TVS processing. 


e These roles should then be formalised in a contract or through an instrument such as Heathrow’s Conditions of Use. 


Extending existing legal obligations for APJ processing 


4.7. When considering how best to complete Heathrow’s second objective, the Senior Case Officer discussed first with Heathrow 
whether or not consent was the most appropriate basis for processing a passenger’s biometric data in the first instance. 
Heathrow said they had already explored some other options and had assessed whether GDPR Article 6,1(c), ‘compliance 
with a legal obligation to which the controller is subject’, could be relied on as their Article 6 basis for processing. As far as 
what the actual legal obligation was, they provided information to the ICO about a 2009 amendment to the Immigration Act 
1971. The amendment stated that Heathrow must use a biometric system to secure and prevent international transitioning 
passengers from breaking the UK border security controls in common departure lounges (i.e. departure lounges where 
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4.8. 


4.9. 


4.10. 


domestic, international and transitioning passengers inhabit common areas) by exchanging boarding passes with a 
passenger on a domestic flight. 


As part of their Sandbox participation Heathrow wanted to explore, as an alternative to reguesting consent from passengers 
for the purposes of establishing a lawful basis for processing, whether this legislative amendment would provide a sufficient 
legal obligation to utilise Article 6,1(c) as a lawful basis for processing all passengers’ biometric data when entering the 
common departure lounge (i.e. as a legal basis for APJ processing). 


Based on the information provided by Heathrow, the ICO formed the view that Heathrow would not be able to rely on this 
amendment as a basis to process all passengers’ biometric data for APJ purposes, because APJ processing appears to go 
beyond the limits of the biometric processing specifically mandated by the 2009 legislative amendment. It was suggested 
that consent and explicit consent would likely be the most appropriate lawful basis and condition for processing respectively, 
for Heathrow to utilise when processing biometric data associated with the APJ. 


This steer was issued verbally to Heathrow on 6 November 2019 and documented via email on 8 November 2019. 


Outstanding risks and actions: 


4.11. 


It was acknowledged by both Heathrow and the ICO that a similar amendment to the 2009 change to the Immigration Act 
1971, or other appropriate legislation may in the future, provide Heathrow with sufficient lawful basis to process the 
biometric data of passengers without their consent for compliance with Article 6 of the GDPR. However, this would still 
require Heathrow and the partner airlines needing to find a suitable Article 9 condition (explicit consent or otherwise) to rely 
upon in order to justify the processing of the biometric data. The work undertaken in the sandbox on this point could provide 
helpful evidence should Heathrow and/or the Airport community wish to seek legislative changes in the future. Heathrow 
would also need to ensure that sufficient technical and organisational measures were in place to continue their compliance 
with the GDPR. 
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How could/should Heathrow collect explicit consent? 


4.12. 


In order to complete the second and third objectives of Heathrow’s Sandbox Plan, the Senior Case Officer facilitated a 
design workshop on 11 December 2019, between Heathrow and the ICO to discuss how Heathrow might collect explicit 
consent from passengers for APJ processing. During this session Heathrow outlined their existing plan to collect explicit 
consent from passengers. The proposed method relies on the use of full consent statements which the passengers have to 
click ‘yes’ onto, to confirm their consent for biometric processing. Heathrow identified that this method of collecting consent 
may represent a poor end point service for passengers (in terms of time taken etc.). In order to ensure they provide the 
best service possible for their passengers, Heathrow wanted to explore the limit/extent of what could be considered to be a 
recordable, unambiguous indication of a passenger’s explicit consent to biometric processing. 


It was decided at the end of this meeting on 11 December 2019, that Heathrow would outline an approach for an alternate 
method of collecting explicit consent, which focused on layering communications and an affirmative action as an express 
statement of consent (eg joining a clearly signed queue for APJ processing and then having screen signage that indicates 
that scanning your Boarding Pass at this station will be taken as an express statement of your explicit consent to biometric 
processing) instead of having passengers/Data Subjects read and click ‘yes’ to an explicit consent statement. After some 
discussion around the ‘privacy trade-offs’ of this option it was agreed that Heathrow should prepare a test plan which clearly 
outlined their proposed method for collecting explicit consent based on a clear affirmative action from the passenger (i.e. by 
scanning their boarding pass). ICO recognised that this method of obtaining consent had the potential to be contrary to the 
ICO’s existing guidance on explicit consent and agreed that Heathrow could develop a test plan for this alternative 
mechanism to gather explicit consent, which if proven to be effective, could have led to possible update of our guidance. 


On 29 January 2020, Heathrow provided an outline of a Boarding Pass based consent process. This was reviewed by ICO 
staff and feedback was provided to Heathrow on 7 February 2020. It was felt that the alternate consent collection method 
proposed by Heathrow in this plan was still largely inadequate and would not meet the threshold for consent as laid out in 
Article 7 of the GDPR, particularly as such consent needed to be explicit. After consideration of this feedback, Heathrow 
notified the ICO on 10 March 2020 that they intended to postpone plans to undertake further evaluation of this alternate 
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process (scanning a Boarding Pass being treated as explicit consent) and would for the immediate future progress as 
outlined in section 4.12, which was seen by the ICO as an acceptable method. However, alternate solutions would continue 
to be explored by Heathrow, including with the airline community. 


Outstanding risks and actions: 


4.15. 


Moving forward, Heathrow will need to ensure that they have suitably robust mechanisms in place to deliver sufficient 
transparency information to data subjects before collecting their explicit consent for biometric processing. Heathrow will also 
need to consider the consent statements given to data subjects when collecting their consent, to ensure they are suitably 
robust to meet the bar set by Article 7 of GDPR. 


Can Heathrow legally undertake TVS processing? 


4.16. 


As mentioned previously in this document, Heathrow wanted to explore whether they could verify passenger identities 
against the TVS database and were seeking to explore whether they could undertake this processing legally under the 
current data protection legislation. Throughout February 2020 the Senior Case Officer liaised with Heathrow to gather what 
information they could provide about the proposed TVS processing activities. 


After analysing the information available, it was determined that Heathrow would likely be a processor in the context of TVS 
processing. It was also determined that, as far as compliance with a lawful basis under Article 6 of the GDPR was concerned, 
the controller(s) for TVS processing could make a reasonable argument for relying on 6,1(f), ‘legitimate interests of the data 
controller’ for the international transfer and subsequent processing of personal data, provided that they undertook a suitable 
Legitimate Interest Assessment (LIA) to justify their processing of biometric data. 


With regards to Article 9 of the GDPR it was unclear whether or not the transfer of personal data to the USA for the 
purposes of biometric processing would trigger article 9 of the GDPR as there are complicated questions as to at what point 
a digital image actually becomes biometric data. 
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4.19. The ICO also advised that, so long as passengers had a sufficient opt out opportunity while they were still in the UK, explicit 
consent gathered by Heathrow for the purposes of relying on the Article 49(1)(a) derogation concerning the international 
transfer of personal data, would likely be considered valid and therefore sufficient for the parties to be able to comply with 
Article 44 of the GDPR. These steers were communicated to Heathrow via email on 11 March 2020. 


Outstanding risks and actions: 


4.20. Moving forward, based on the information provided about the proposed processing activity in the Sandbox, and the steers 
provided by the ICO, Heathrow should consider: 


e Working with their partner airlines to determine in practice and on a case by case basis which parties, for the purposes 
of TVS processing, are considered to be the controllers and/or processors. 


e Determine what the organisation(s) respective obligations under GDPR are. 


e How best the parties involved would comply with Article 44 of the GDPR in the context of TVS processing - as the 
processing activities would involve an international transfer of personal data to the US, and whether the explicit 
consent derogation could be relied on in each situation. 


e Whether or not the actual transfer of personal data associated with TVS processing triggers Article 9 of the GDPR, as 
there are complicated questions as to at what point a digital image actually becomes biometric data. 


e Discussing with their partner airlines/the controllers which Article 6 basis and Article 9 condition for processing (other 
than the transfer itself) they wish to use for TVS processing. 
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By 


5.1. 


5.2: 


BA, 


Ending statement 


Heathrow's participation in the ICO's Regulatory Sandbox has given the ICO the opportunity to gain a valuable insight into 
the Airport sector and how organisations may seek to utilise FRT in new and innovative ways. It is hoped that the ICO's 
work with Heathrow will help to influence our views and guidance on the collection and recording of explicit consent, as well 
as the use and deployment of FRT systems generally and in the context of ports generally. 


It is clear to us from our work with Heathrow that they have a real commitment to making use of innovative technology in a 
compliant way to improve customer experience, efficiency and security. Through our work we recognise that there are likely 
to be a number of challenges faced by any airport as they seek to implement these technologies. These include: 


e Achieving clarity between all parties as to who is the processor or controller in any given circumstance - particularly 
given the many different parties involved in handling passenger data. 


e The complexity and rigidity of other legal frameworks that airports need to operate within on a global scale, how this 
interfaces with GDPR requirements, and where many requirements for handling of personal data are set outside of 
their control (i.e. much of the legislation is directly between Government(s) and Airlines, and the airports are unable to 
exert much influence over the drafting of such legislation). 


e Developing robust and rigorous test plans that enable new methods of gaining consent to be tested that are also cost 
effective, practical and compliant, whilst maintaining ‘business as usual’ function of the Airport. 


Heathrow appear to be on track to begin automating their passengers’ journeys once they have finalised the mechanism 

through which they will gather explicit consent from passengers travelling through the airport. Moving forward, Heathrow 
should look to progress with the actions and address the outstanding risks laid out in this report. Furthermore, Heathrow 
should ensure that they continue to consider the trade-offs of utilising passengers’ special category biometric data when 

innovating and improving their internal processes. If Heathrow effectively address the outstanding risks and actions 
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5.4. 


5.5. 


5.6. 


highlighted in this report then, based on the information we have seen in the Sandbox, it appears feasible that they may be 
able to gather compliant explicit consent from their passengers by utilising consent statements*. This should allow Heathrow 
to process passengers’ biometric data compliantly for the purposes of automating part of their airport journeys. 


Given the challenges set out above, and recognising the global interconnectedness of the air industry, ICO is of the view 
that Heathrow, and indeed other airports, ports, airlines and other relevant stakeholders, should seek to find a way to 
collaborate and establish some sectoral standards for the processing of personal data in the operation of automated 
passenger journeys. Whilst this would not be without challenge, it would be in the clear mutual interest of all concerned to 
improve the efficiency of throughput of passengers in a way that is compliant with global data protection standards. 


As part of this, Heathrow may also wish to consider working with their industry partners (eg Airlines, airports and other 
ports and their representative bodies) to create to create a GDPR Article 40 Code of Conduct to enable them to set out in a 
clear, transparent and standardised manner how they will approach the challenge of utilising passengers’ biometric data for 
the purposes of confirming/verifying identities. 


At the time of writing this report the Covid-19 public health emergency was unfolding across the world with unprecedented 

impact on airports. We are immensely grateful to the team at Heathrow for their engagement in the finalising of this report 

in difficult circumstances. Whilst we are some way off moving to the ‘recovery’ phase of the country’s response to the global 
pandemic, we might hope that in due time and as the country emerges from its current situation that the conditions may be 
set for the kind of cooperation we suggest above. 


4 PLEASE NOTE: The ICO is not in a position to make a determination about other methods of collecting explicit consent from Passengers 
because testing has not, as of the time this report was written, been undertaken. 
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